When you hear the name Equifax, what comes to mind? For many people, the expansive data breach from 2017 comes to mind. It destroyed consumer trust. Keep customers happy and build lasting relationships by making sure you’re focused on security.
In 2022, Statista reported there were 1,082 data breaches in the U.S., and those breaches affected 422.14 million people. As of October 2023, there have been 694 data breaches with 612 million people impacted. Progress MOVEit is one of the biggies. The secure MFT software is used around the world and many organizations that use it were impacted, including the Government of Nova Scotia, John Hopkins University, Oregon DOT, Shell, UCLA, and United Healthcare Student Resources. More than 60 million individuals have been affected, so far.
When a breach happens, even if it isn’t directly caused by you, it impacts consumer confidence. Taking every possible step to prevent breaches and protect consumer’s PII is essential. How do you do that?
Follow the Federal Trade Commission’s Five-Step Plan
The FTC has a simple five-step guide to protecting PPI, which is an important part of gaining customer trust.
“Take Stock”
Make sure you have a list of the PII your company stores in files, computer hard drives, and external devices. What devices contain PII? Don’t overlook anything and make sure you always have its latest location in that information. If someone uses a device and removes it from a storeroom, they need to sign it out.
What information is sent to you at any point of the day? Even if the person sending you information is a one-time user or customer, you need to know what information you’re getting from them, any contractors, etc., and know the route it takes to get that information. Where is that information transmitted and how is it handled at each touchpoint?
Know the laws that apply to your business or organization, too. If you have private medical data in your files, HIPAA laws apply. The Gramm-Leach-Bliley Act applies to financial and insurance companies. There are also state and EU laws that may impact you, so storing and using cookies may not be allowed without the user’s consent.
“Scale Down”
Don’t store more information than is absolutely necessary. If you are selling products in an online store, there’s no reason to keep a customer’s age, race, or date of birth. You might think it’s important to have this information for marketing, but you have to decide what’s most important for the business transaction. Storing too much PII is risky.
Storing a credit card isn’t necessary outside of a subscription service. You also are not likely to need a customer’s SNN. It’s especially important to avoid keeping this information tied to a mobile app. The more touchpoints and information you’re storing, the more work you have to ensure it’s protected.
At the same time, limit access to PII to those who need to access it. Your sales team may need to access credit cards, but someone in the distribution warehouse wouldn’t need it.
“Lock It”
You’ve taken proper steps and have a spreadsheet of where PII is stored and who accesses it, and you’ve scaled down the unnecessary information. It’s time to check your security measures. Make sure you take the utmost care in protecting the information your business needs to store.
Paper documents need to be in fireproof, locking files. The same is true of thumb drives and external hard drives. Keep that locked away in a room that only authorized personnel can access.
Computers cannot be left open while someone takes lunch or goes to the bathroom. They need to log off and turn off the screen. A computer sleep mode is worthwhile.
Make sure you have heightened security like firewalls, security suite software, and private networks that constantly monitor for threats. If you have to send anything, use encryption. Do not allow employees to download software. If they get an email from a shareholder or manager asking them to click a link or open a file, they should not without verifying it’s truly from the sender.
Any software that is used has to be updated regularly. Turn on security software to update automatically and run scans regularly. Set a schedule.
The other step is to make sure workers use strong passwords and have multi-factor turned on. The harder it is to get into software, the more secure it is.
“Pitch It”
When a customer leaves or information is no longer required, destroy the data. If a computer breaks down or is no longer needed, don’t donate it or put it up for sale or auction without destroying the data. Data destruction is a must.
Paper documents must be shredded into the smallest pieces possible. Storage devices like thumb drives, external hard drives, and electronic items like smartphones or tablets shouldn’t just be restored to factory settings. It’s not enough. You need a professional ITAD provider to ensure data is destroyed to prevent any future access.
“Plan Ahead”
Have a plan in place in case of a breach, theft, or other incident. You can’t guarantee that your office or store is never broken into. Ransomware is always a risk. It’s important to have a plan in place if the worst-case scenario happens.
If there is a breach, have steps for employees to follow. That may mean shutting off all computers and working manually for a while. Report the breach to the proper authorities immediately. Don’t wait weeks or months to report the breach or theft and alert your legal team.
Carefully Choose an ITAD Provider
Any electronic devices you have must be destroyed properly. If they still have value, data destruction has to be part of the refurbishing process. Working with a highly rated, certified ITAD provider is essential.
There are a few certifications to look for when you choose an ITAD provider. Take a closer look at what they are and what they mean.
- e-Stewards – Electronics recycling is done following measures that protect the environment, including processing and recycling all electronic items locally and shipping nothing overseas.
- NAID AAA – Data protection regulations, including security processes and procedures, the equipment used, and employee training, all meet i-SIGMA’s rigid standards.
- R2 – Recycling practices protect the environment, support a circular economy by preserving resources, and keep workers safe and healthy.
ERI is certified in e-Stewards, NAID AAA, and R2. In addition, ERI is the nation’s first AICPA SOC 2 Type II certified company. This certification goes to e-recycling companies that effectively train employees for risk management and industry compliance.
By partnering with an expert in data destruction, your customer’s PII is protected. You’ve done everything possible to prevent breaches and data theft. Plus, you’ll have proof from ERI that you followed the laws and regulations. Talk to us about your ITAD needs, whether you need data destruction at your place of business or feel comfortable shipping it to one of our secure facilities.